Login Sign Up

CVE-2021-23440

7.3 HIGH
Authentication Bypass

📋 TL;DR

CVE-2021-23440 is a type confusion vulnerability in the set-value npm package that allows attackers to bypass previous security fixes (CVE-2019-10747) when user-provided keys in path parameters are arrays. This can lead to prototype pollution attacks. Affected are applications using vulnerable versions of set-value directly or as a dependency.

💻 Affected Systems

Products:
  • set-value npm package
Versions: set-value <2.0.1, >=3.0.0 <4.0.1
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using vulnerable versions of set-value either directly or as a transitive dependency is affected.

📦 What is this software?

Communications Cloud Native Core Policy by Oracle

View all CVEs affecting Communications Cloud Native Core Policy →

Set Value by Set Value Project

View all CVEs affecting Set Value →

Set Value by Set Value Project

View all CVEs affecting Set Value →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution or complete system compromise through prototype pollution leading to arbitrary code execution in Node.js applications.

🟠

Likely Case

Application instability, denial of service, or limited data manipulation through prototype pollution.

🟢

If Mitigated

Minimal impact if input validation and sanitization are properly implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept code is available in public references. Exploitation requires user-controlled input to vulnerable functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: set-value >=2.0.1, >=4.0.1

Vendor Advisory: https://github.com/jonschlinkert/set-value/security/advisories

Restart Required: Yes

Instructions:

1. Update package.json to use set-value >=2.0.1 (for v2) or >=4.0.1 (for v3/v4). 2. Run 'npm update set-value' or 'yarn upgrade set-value'. 3. Restart the application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to ensure path parameters are not arrays before passing to set-value functions.

🧯 If You Can't Patch

  • Implement strict input validation to reject array keys in path parameters
  • Use alternative libraries like lodash.set or dot-prop with proper security configurations

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for set-value version. Run 'npm list set-value' or check node_modules/set-value/package.json.

Check Version:

npm list set-value | grep set-value

Verify Fix Applied:

Verify set-value version is >=2.0.1 (if using v2) or >=4.0.1 (if using v3/v4) after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual application crashes, unexpected prototype modifications, or errors from set-value functions

Network Indicators:

  • Unusual HTTP requests with array-like parameters to endpoints using set-value

SIEM Query:

Search for application logs containing 'set-value' errors or prototype pollution indicators

📊 Metadata

CVE ID: CVE-2021-23440
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-843
Published: September 12, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23440, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2020-25575 9.8

This vulnerability in the Rust failure crate (versions through 0.1.5) involves a type confusion flaw...

Same vulnerability type (CWE-843)